Cisco ASA 5505 VPN Can't Talk to Internal VLANs

I have a Cisco ASA 5505 that I'm trying setup VPN on. I got VPN to work fine, I get the VPN subnet (10.10.30.0) etc., but I can't talk to the internal nor the DMZ VLANs. I tried running nat traversal but this didn't help. Any help would be greatly appreciated! I have attached my config below.

Who is Participating?

I already have logging enabled which never really helped me with this. I did use the packet tracer though and try a packet from inside .30.2 to inside .10.1, I hit an ACL drop, which turned out to be my inplicit deny on the inside ACLs. I noticed that my inside ACLs only allow inside (10.0/24) traffic out to any destination. I added an ACL for 10.10.30.0/26 traffic out to any dest as well and this fixed my issue. I can now ping 10.1 from the 30.0 subnet (vpn).

I'm not sure why your setup with my old config worked but this did the trick for me. It also occured to me that not being able to ping 10.10.20.1 from the vpn subnet makes sense since nothing on the dmz vlan is allowed to talk to the inside vlan for security purposes (which covers .10.0 ->20.0 as well as .30.0 -> 20.0).

My new ACLs are attached.

I hope this helps someone out. I obviously just didn't notice this ACL issue but was able to track it down with the packet tracker (man I love that thing). I guess I figured the inside-vlan statement would cover the vpn statement but I was wrong. Thanks for your help JFred, keep up the support!

I ran your command, no dice. I cannot ping 10.10.10.1. I do not have a gateway ont he VPN Windows XP interface either but this is pretty standard as our Cisco 1811 and ASA 5510 at other locations work the same way... I can't tell if this is an ACL issue, a NAT issue or a route issue, but I suspect one of these areas to the be cause of the internal subnets being unreachable.

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

The only route is the router above the ASA. Traffic gets out by hitting the ASA and then seeing route 1 which is the next hop, the router. The route is on interface outside so traffic knows to go out that way.

I am referring to where you are attempting to VPN from. What is the local LAN subnet in use where you are testing from? Make sure it doesn't conflict since you are split tunneling. So the router on the outside isn't doing NAT or any filtering? I would take your test VPN PC and plug directly into the outside interface of the ASA and give yourself the router IP then try to VPN again.

Ah, sorry, I set the subnets so they would no conflict with any others. My local subnet is 10.20.30.0 so I will not conflict. I'm not anywhere near the DC this ASA is in hence the need for VPN so I can't connect directly. When I was in the DC I did try it on the same network but it would still have gone through the router. The router is not doing any filtering and no NAT is required as it is a global IP. Hope this helps!

In the Cisco VPN client, under the Transport tab, you have UDP encapsulation selected, right? Is there anything on the network you are connecting from that could be filtering UDP 4500? Have you tried from home by chance?

Tried from work and home :-\. Work is also not on the same subnet. Outbound everything is allowed. For that matter I've already tried it via my iPhone over ATT 3G, the VPN connected fine but I couldn't navigate to the https://10.10.10.1 address. I don't think firewalls are at play here...

Traffic just can't get form the VPN 10.10.30.0 to .10 or something. I really wish these ASAs would come with Easy VPN Server like the 1800 routers.